Wednesday, August 04, 2010

Government and Green Push for Smart Grid Not a Good Idea

The so-called "smart grid" is a certain recipe for disaster, according to security experts who met in Las Vegas recently. Government and faux environmental groups are pressing utilities hard to install the electronic infrastructure for the "smart grid," even as better informed persons are discovering more reasons to object.

Utilities are being encouraged to install this smart-grid technology--network-connected devices to help intelligently monitor and manage power usage--through funding from the U.S. government's 2009 stimulus package. The smart systems could save energy and automatically adjust usage within homes and businesses. Customers might, for example, agree to let a utility remotely turn off their air conditioners at times of peak use in exchange for a discount.

But to receive the stimulus money, utilities will have to install new devices across their entire customer base quickly. Security experts say that this could lead to problems down the road--as-yet-unknown vulnerabilities in hardware and software could open up new ways for attackers to manipulate equipment and take control of the energy supply.

Smart-grid deployments involve installing smart meters in homes and businesses across a utility's coverage area. These meters can communicate with the utility and with other networked devices--usually via a wireless network of some type. Some ways to hijack this type of equipment have already been revealed. Last year, Mike Davis, a senior security consultant at IOActive, created a piece of software that could spread automatically between smart grid hardware in different homes. The software would then be capable of shutting equipment down.

The security of the smart grid was a major topic at Black Hat. The conference brings together researchers from academia, industry, government, and the hacking underground.

...A serious vulnerability might make it possible to shut down the power supply to an entire city.

...It may be particularly hard to protect the smart grid because would-be attackers will have physical access to components connected to the network. Pollet says that all it takes is for one determined attacker to find a way in--information about how to hack a device is then quickly shared online. "Those who have the intent and motivation can do this stuff," he says.

Shawn Moyer, who practices network security for Agura Digital Security, says he's concerned that utilities don't have expertise in network security. For example, he says, many advertise that they offer encryption in their smart-grid products, but on further inspection, there are problems with how that encryption is implemented.

Moyer and Keltner revealed a proof-of-concept smart-grid attack at Black Hat. They used a customizable piece of radio equipment and some freely available software to find smart meters on a network and circumvent the encryption used to protect them. If an attacker were to do the same, they say, it would be possible to issue commands that could misreport data to the utility or shut off power to some users. _TechnologyReview

When the momentum toward societal quasi-suicide grows this great, it is difficult for small numbers of persons to make a large difference. Sometimes it is smarter to simply look to the security of one's self, one's family, and one's community.